Sponsored

Not the solution you were looking for?

We’ll help you out!

Signature verification failed on SPKAC public key – Fix OpenCA error

After installing OpenCA and setting up Certificate Authority (CA), I encountered an error – “Signature verification failed on SPKAC public key” while signing the end-entity certificate request on CA machine.

The error “signature verification failed on SPKAC public key” clearly says that the issue is while signing the SPKAC public key – The request was generated on the users browser window as shown below:

The browser generated request consists of SPKAC public key and signature. The SPKAC probably uses MD5 in its signature. That is insecure and OpenSSL does not verify signatures which use MD5 by default.

So how do we tell OpenSSL to accept requests that uses MD5? Here’s how it’s.

How to fix Signature verification failed on SPKAC public key

Set the environment variable OPENSSL_ENABLE_MD5_VERIFY as a workaround to allow OpenSSL to sign requests that uses MD5. As the OpenCA uses sessions, you cannot just set the environment variable on the command line. You need to set it programatically, so that whenever OpenCA uses OpenSSL command to sign, it should be set.